Called Karma, the tool let spies steal photos, messages, emails and location data from iPhones by uploading victims’ email accounts or phone numbers to an automated system, the report said.

The cyberattack worked through iMessage, and the spies simply needed to send a victim a text message; the target didn’t need to click on anything or open the message.

The UAE government bought the tool from an outside country, and the attacks were carried out by former US intelligence operatives working as contractors for the UAE, including ex-operatives with the National Security Agency, Reuters reported. Targets reportedly included human rights activists, political dissidents and leaders of rival nations.

The spies used Karma from 2016 to 2017, targeting hundreds of victims, until a security patch from Apple hampered the tool’s effectiveness, Reuters said.

Neither the UAE nor Apple responded to a request for comment.

The NSA said all its former employees “are subject to the same post-employment restrictions that govern other former civil servants employed by the intelligence community” and that “under no circumstance would the agency request that an individual, contractor, foreign government or other US government agency engage in activities on its behalf that the NSA would not itself be authorized to undertake.”

Nation-states often buy and use powerful hacking tools to spy. For many political dissidents, keeping devices secure from hacks can be a life or death matter.

Last March, researchers detailed a global hacking campaign they said involved the Lebanese General Security Directorate. The effort reportedly set sights on victims by tricking them into downloading replica apps filled with malware. The Security Directorate said at the time that it didn’t have such capabilities.

In the above examples, the state-sponsored hacks required victims to fall for a trap, whether it was clicking on a link or downloading a malicious app. With Karma, all the hackers needed to do was send a text message, widening the scope of who the UAE could spy on.

The report on Karma comes as Apple is reeling over a major FaceTime security flaw. The bug, first reported by 9to5Mac on Monday, allowed FaceTime users to listen in on a call’s recipient even if he or she didn’t accept the call.

Apple said it was releasing a patch this week to fix the Group FaceTime vulnerability, and that it has temporarily disabled Group FaceTime until then.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.